Daily Drop (826): | SearchGPT | Luxottica |SN_BLACKMETA | DPRK: APT45 | RU: Meliorator | Smishing Triad | MSS: Ping Li | APT-C-09 | Internet Apocalypse | FBI: Encryption | Evasive Panda | GitHub |
07-26-24
Friday, Jul 26 2024 // (IG): BB // ShadowNews // Coffee for Bob
Measures of Effectiveness (MoE):
MoEs are used to assess how well a system or operation achieves its intended goals. They are qualitative or quantitative metrics that reflect the success of achieving desired outcomes. For example, in a cybersecurity context, an MoE could be the reduction in successful cyber-attacks after implementing new security protocols.
Results: We are seeing an uptick in “163.com”, “189.com” and “QQ” subscribers.
Chinese National Charged with Spying on U.S. Telecommunications and IT Companies
Bottom Line Up Front (BLUF): The U.S. Department of Justice has charged Ping Li, a Chinese immigrant residing in Florida, with espionage for allegedly providing information to China's Ministry of State Security (MSS) over the past decade. Li, who worked for a major U.S. telecommunications company and an international IT firm, is accused of passing sensitive information about U.S. cyberattacks, dissidents, and corporate matters to the MSS.
Analyst Comments: The arrest of Ping Li underscores the ongoing threat of espionage from China, particularly through insiders within key industries. Li’s access to sensitive information through his roles in major U.S. companies highlights the vulnerabilities posed by trusted employees who may be compromised or recruited by foreign intelligence agencies. This case also illustrates China's persistent strategy of leveraging its expatriate community to fulfill intelligence-gathering objectives.
FROM THE MEDIA: Ping Li, a 59-year-old Chinese immigrant, and U.S. citizen, has been charged with spying for China’s Ministry of State Security (MSS). The indictment reveals that Li, who worked for a major telecommunications company and later an international IT company, allegedly provided the MSS with biographical data on Chinese dissidents, information on his employer’s operations, and details of cyberattacks linked to Beijing. Li is accused of using anonymous online accounts and traveling to China for covert meetings. If convicted, he faces up to 15 years in prison. This case highlights China's extensive espionage efforts in the U.S., targeting various sectors to obtain critical information.
READ THE STORY: The Register // PCMAG
OpenAI Launches SearchGPT, Challenging Google's Dominance in Search
Bottom Line Up Front (BLUF): OpenAI has launched SearchGPT, an AI-powered search engine currently in its prototype phase, aiming to compete with Google, Microsoft’s Bing, and Perplexity. This move marks OpenAI's direct entry into the search market, leveraging its advanced AI models to deliver real-time, conversational search results.
Analyst Comments: OpenAI's entry into the search engine market signifies a pivotal moment in the AI industry, challenging long-established giants like Google and Microsoft. By integrating real-time information with conversational capabilities, SearchGPT could revolutionize how users interact with search engines. The partnerships with prominent publishers and content licensing agreements suggest a strategic approach to address the challenges of content ownership and accuracy. However, the competitive landscape and potential legal hurdles highlight the complexities of this venture.
FROM THE MEDIA: OpenAI has introduced SearchGPT, an AI-driven search engine designed to provide real-time information from the web with a conversational interface. This prototype phase launch aims to refine the tool with a select group of users and publishers before broader integration into ChatGPT. Shares of Alphabet, Google's parent company, fell by 3% following the announcement. The move places OpenAI in competition with its primary backer, Microsoft's Bing, and Perplexity, another AI search startup. SearchGPT features summarized search results with source links and follow-up question capabilities, emphasizing collaboration with publishers like News Corp and The Atlantic for content management and licensing. This development comes amid a broader industry trend of integrating AI into search functionalities, as seen with Microsoft and Google's recent advancements.
READ THE STORY: Reuters // FT // The Register
Patchwork Hackers Target Bhutan Using Advanced Brute Ratel C4 Tool
Bottom Line Up Front (BLUF): The Patchwork hacking group, also known as APT-C-09, has launched a cyber attack on entities linked to Bhutan, employing the Brute Ratel C4 framework and an updated PGoShell backdoor. This marks their first use of Brute Ratel C4.
Analyst Comments: Patchwork's use of Brute Ratel C4 and PGoShell highlights the group's evolving capabilities and sophisticated techniques. Known for their spear-phishing and watering hole attacks, this new strategy indicates a shift towards more advanced red teaming tools. This development suggests a significant escalation in their cyber espionage activities, likely increasing the threat to targeted regions and organizations. Entities in Bhutan and other potential targets should enhance their cybersecurity measures to defend against such advanced attacks.
FROM THE MEDIA: The Patchwork hacking group, also known as APT-C-09, has been linked to a cyber attack targeting Bhutanese entities, utilizing the Brute Ratel C4 framework and an updated version of PGoShell. The attack begins with a Windows shortcut file that downloads a decoy PDF while deploying the malicious tools. Patchwork, active since at least 2009, has previously targeted China and Pakistan. Their recent campaign used romance-themed lures to infect Android devices in Pakistan and India. This incident underscores the group's increasing use of sophisticated tools to enhance their cyber espionage capabilities.
READ THE STORY: THN
FBI Uncovers Russian AI Tool Used to Spread Disinformation on Social Media
Bottom Line Up Front (BLUF): A joint advisory by the FBI and international partners has revealed the use of an AI-powered bot farm by Russia’s FSB to create and deploy fake social media profiles aimed at spreading disinformation.
Analyst Comments: The deployment of the Meliorator tool by Russian state-sponsored actors represents a significant escalation in the use of AI for information warfare. This operation underscores the evolving capabilities of adversaries to manipulate social media environments on a large scale, posing substantial challenges to countering disinformation and protecting the integrity of online discourse.
FROM THE MEDIA: The FBI, alongside domestic and international intelligence agencies, has identified a Russian operation using the Meliorator AI tool to generate fake social media profiles. These profiles, or "souls," vary in complexity and activity, designed to mimic genuine users and propagate disinformation. The Meliorator bot farm, operational since 2022, includes an admin panel called “Brigadir” and a seeding tool named “Taras,” storing profiles in a MongoDB database. The Justice Department has seized domains and social media accounts linked to this operation, developed by an RT deputy editor-in-chief, to advance Russian disinformation campaigns, particularly about the Russia-Ukraine conflict.
READ THE STORY: The Cyber Express
China-Linked APT Group Uses New Macma macOS Backdoor Version
Bottom Line Up Front (BLUF): The China-linked APT group Daggerfly, also known as Evasive Panda or Bronze Highland, has updated its malware arsenal, including a new version of the Macma macOS backdoor and an enhanced MgBot malware framework. These tools were used in recent cyber espionage campaigns targeting organizations in Taiwan and a U.S. NGO based in China.
Analyst Comments: Daggerfly's continuous evolution of its malware toolkit underscores the group's persistent threat in cyber espionage. The updated Macma backdoor and MgBot framework exemplify the sophisticated techniques employed by state-sponsored actors to enhance their operational capabilities and maintain long-term access to compromised networks.
FROM THE MEDIA: Daggerfly (Evasive Panda) has enhanced its toolset with a new version of the Macma macOS backdoor and updated MgBot malware. These tools were recently deployed in attacks on Taiwanese organizations and a U.S. NGO in China. The group, active for over a decade, uses the MgBot framework extensively and has updated its malware to evade detection and enhance functionality. The Macma backdoor, initially detailed by Google in 2021, supports device fingerprinting, command execution, screen capture, keylogging, audio capture, and file transfers. The malware's evolution indicates Daggerfly's adaptability and persistent threat in cyber espionage.
READ THE STORY: Security Affairs
Meta Removes 63,000 Instagram Accounts Linked to Nigerian Sextortion Scams
Bottom Line Up Front (BLUF): Meta Platforms has removed around 63,000 Instagram accounts involved in financial sextortion scams targeting adult men and minors, predominantly in the U.S. The operation included 7,200 assets linked to the Nigerian cybercrime group Yahoo Boys.
Analyst Comments: Meta's extensive crackdown on sextortion scams highlights the ongoing challenges social media platforms face in combating cybercrime. The cooperation between Meta and law enforcement underscores the importance of coordinated efforts to tackle digital fraud and protect vulnerable users from exploitation.
FROM THE MEDIA: Meta has eliminated approximately 63,000 Instagram accounts linked to financial sextortion scams targeting primarily adult men in the U.S. and minors. The Nigerian cybercrime group Yahoo Boys, which coordinated 7,200 assets, including Facebook accounts and groups, was identified as the perpetrator. The scammers posed as teenage girls to lure victims into sharing explicit images, subsequently using these to extort money. In conjunction with INTERPOL's Operation Jackal III, numerous arrests and the seizure of $3 million in illegal assets were made. This crackdown is part of broader efforts to dismantle organized crime networks involved in various cyber and physical crimes.
READ THE STORY: THN
Middle East Financial Institution Suffers Six-Day DDoS Attack
Bottom Line Up Front (BLUF): A financial institution in the Middle East was subjected to a six-day distributed denial-of-service (DDoS) attack by the hacktivist group SN_BLACKMETA, resulting in nearly 100 hours of disrupted service. The attack, peaking at 14.7 million requests per second, highlights the ongoing threat posed by politically motivated cyber attackers.
Analyst Comments: This prolonged DDoS attack underscores the sophistication and persistence of modern hacktivist groups. SN_BLACKMETA's targeted campaign against Middle Eastern financial institutions, particularly those perceived to be aligned against Palestinian interests, mirrors the tactics of other hacktivist groups like Anonymous Sudan. The geopolitical motivations behind these attacks complicate defense measures, requiring robust cybersecurity strategies and international cooperation to mitigate such threats.
FROM THE MEDIA: Researchers from Radware reported that a Middle Eastern financial institution was targeted by SN_BLACKMETA, a pro-Palestinian hacktivist group, in a DDoS attack lasting six days and totaling around 100 hours. The attack reached a peak of 14.7 million requests per second, with the institution being under attack 70% of the time. Despite the intensity, the institution's web services remained operational. SN_BLACKMETA, active since November 2023, has targeted various organizations in the Middle East, accusing them of injustices against Palestinians. The group’s activities have drawn parallels with Anonymous Sudan, showing a 70% overlap in targeted countries.
READ THE STORY: The Record
Luxottica's 2021 Data Breach Resurfaces with New Details from Threat Actor
Bottom Line Up Front (BLUF): A recent post by a threat actor on a clandestine forum claims to provide updated information on the 2021 data breach of Luxottica, a major eyewear company. The breach reportedly exposed extensive personal data of millions of individuals, though the company has not confirmed this.
Analyst Comments: The reemergence of details about Luxottica’s 2021 data breach highlights the persistent risk and long-term impacts of cyber incidents. The claimed exposure of comprehensive personal data, including contact information and birth dates, underscores the potential for identity theft and targeted attacks. Luxottica’s large customer base makes the stolen data highly valuable to malicious actors, emphasizing the need for robust data protection and breach response strategies.
FROM THE MEDIA: A threat actor, using the pseudonym "Voided," has posted new details about Luxottica's 2021 data breach on a clandestine forum. The actor claims that the breach involves a large dataset containing sensitive personal information of millions, such as names, birth dates, email addresses, and phone numbers. The initial leak reportedly included a 120GB database and a smaller, more user-friendly 17GB version. Luxottica, a leading eyewear manufacturer, has not issued an official statement regarding this alleged breach. The exposed data could significantly increase the risk of identity theft and targeted phishing attacks for affected individuals.
READ THE STORY: Red Hot Cyber
FBI Faces Challenges with Encrypted Apps in Trump Shooter Investigation
Bottom Line Up Front (BLUF): The FBI is encountering difficulties accessing encrypted messaging applications used by Thomas Matthew Crooks, the man who attempted to assassinate former President Donald Trump. Despite initial success in accessing some data, end-to-end encryption remains a significant barrier.
Analyst Comments: This case underscores the persistent challenges law enforcement faces with encrypted communications. While tools like Cellebrite can provide some access, the inherent security features of end-to-end encryption prevent full visibility into potential threats. This situation highlights the ongoing debate between privacy and security, with implications for both public safety and individual rights.
FROM THE MEDIA: FBI Director Christopher Wray informed the House Judiciary Committee that the FBI is struggling to access encrypted messaging apps used by Thomas Matthew Crooks, the shooter who attempted to assassinate former President Trump. Although the FBI successfully accessed Crooks’ phone using Cellebrite technology, the encryption on his messaging apps poses a significant challenge. Wray emphasized that this issue is not unique to the FBI but affects state and local law enforcement nationwide. The investigation has revealed that Crooks conducted searches related to historical assassinations and registered for the rally on the same day. The FBI continues to gather information from Crooks’ devices, including a laptop and drone.
READ THE STORY: The Record
Chinese Smishing Triad Targets Indian iPhone Users in Sophisticated Phishing Scam
Bottom Line Up Front (BLUF): The Chinese Smishing Triad gang has launched a new phishing campaign against iPhone users in India, exploiting iMessage and impersonating India Post. The scam involves fake messages prompting users to disclose personal and financial information.
Analyst Comments: The Smishing Triad's expansion into India highlights the increasing sophistication and reach of phishing attacks. By exploiting trusted platforms like iMessage and impersonating a reputable entity like India Post, the attackers enhance the credibility of their scam. This underscores the need for heightened awareness and robust security measures among users to counter these evolving threats. The registration of numerous domains through a Chinese registrar also suggests a coordinated and well-funded operation.
FROM THE MEDIA: FortiGuard Labs has uncovered a new SMS phishing campaign by the Chinese Smishing Triad targeting Indian iPhone users. The attackers use iMessage to send fraudulent messages claiming a package is awaiting pickup at an India Post warehouse. Victims are directed to fake websites mimicking India Post, where they are asked to provide personal and financial information. Between January and July 2024, the group registered over 470 domain names, with 296 through Beijing Lanhai Jiye Technology Co., Ltd. Security experts emphasize the importance of user education and advanced security measures to mitigate such threats.
READ THE STORY: HackRead
North Korean Hackers Steal Military Secrets to Boost Nuclear Program
Bottom Line Up Front (BLUF): North Korean hackers, identified as the group Anadriel or APT45, have been conducting a global cyber espionage campaign targeting military and aerospace companies to support Pyongyang's nuclear ambitions. The U.S., U.K., and South Korea have issued a joint advisory warning about these ongoing threats.
Analyst Comments: This advisory highlights the persistent and sophisticated nature of North Korean cyber espionage activities, specifically targeting critical defense and aerospace sectors. The operations of APT45 underscore North Korea's strategic use of cyber capabilities to bolster its military advancements, including nuclear development. The inclusion of ransomware as a funding mechanism reflects the multifaceted approach of North Korean cyber actors, combining espionage with financial motivations to sustain their operations.
FROM THE MEDIA: North Korean hackers, operating under the Reconnaissance General Bureau and identified as Anadriel or APT45, have been implicated in stealing classified military secrets globally. Targets have included U.S. defense firms, NASA, and U.S. Air Force bases. The hackers have also used ransomware to finance their operations, with attacks on U.S. hospitals and healthcare companies. One notable ransomware incident involved a Kansas-based hospital in 2021. The FBI has issued an arrest warrant for Rim Jong Hyok, linked to these cyber activities, and is offering a $10 million reward for information leading to his capture. The U.S. government has seized $600,000 in cryptocurrency-related to these attacks and continues to monitor the group's activities across various sectors.
READ THE STORY: Reuters // DarkReading
Russia Bans Personal Mobile Phones for Soldiers in Ukraine
Bottom Line Up Front (BLUF): Russia has enacted a law allowing military commanders to detain soldiers for up to ten days if caught using personal mobile phones while deployed in Ukraine. The law aims to prevent the sharing of sensitive information and to ensure the safety of military personnel.
Analyst Comments: This move by Russia reflects broader security concerns regarding the potential for mobile devices to compromise military operations. While intended to prevent the exposure of operational details and geolocation data, the ban could also stifle soldiers' communication and hinder their ability to document and report issues within the military. The criticism from within the military suggests that the policy may face challenges in implementation and could have adverse effects on morale and operational efficiency.
FROM THE MEDIA: Russia has introduced a law prohibiting soldiers from using personal mobile phones while fighting in Ukraine. The law allows military unit commanders to detain soldiers for up to ten days if found in violation. The restrictions aim to prevent the sharing of audio, photo, video materials, and geolocation data. Despite the intended security benefits, the ban has faced criticism from soldiers and military bloggers who argue that mobile phones are essential for communication and navigation. Critics also suggest that the Kremlin initiated the ban to prevent soldiers from exposing problems within the military.
READ THE STORY: The Record
GitHub's Data Deletion Practices Raise Security Concerns
Bottom Line Up Front (BLUF): Researchers at Truffle Security have discovered that data from deleted GitHub repositories and forks may still be accessible, posing a significant security risk. Despite the potential for exposing sensitive information, GitHub maintains that this behavior is intentional and documented.
Analyst Comments: The revelation that deleted GitHub repository data can still be accessed through forks exposes a critical vulnerability, especially for sensitive information like API keys and private data. GitHub's stance that this is a feature rather than a bug highlights a gap between user expectations and platform design, necessitating better awareness and possibly enhanced security measures to protect data integrity.
FROM THE MEDIA: Truffle Security researchers found that data from deleted GitHub repositories, including forks, can still be accessed, which they term as Cross Fork Object Reference (CFOR) vulnerability. This issue was illustrated by accessing sensitive commit data from deleted repositories via forks. Despite the risks, GitHub considers this behavior intentional, as noted in their documentation. The vulnerability allows for the retrieval of "dangling commits" if the identifier is known, posing a risk of unauthorized data access. The researchers suggest that GitHub should enable permanent deletion of commits to mitigate this issue.
READ THE STORY: The Register
"Internet Apocalypse": Ukraine's Cyber Strike Cripples Russia's Digital Infrastructure
Bottom Line Up Front (BLUF): Ukrainian cyber experts from the Main Directorate of Intelligence (HUR) have launched a large-scale cyberattack on Russia's digital infrastructure, severely disrupting banking, social networks, and payment systems. This ongoing operation, now in its third day, targets entities supporting Russia's military aggression against Ukraine.
Analyst Comments: The extensive cyber offensive by Ukrainian intelligence illustrates the strategic use of cyber warfare in modern conflicts. The targeting of financial institutions, communication platforms, and payment systems is likely intended to disrupt both the economy and daily life in Russia, potentially weakening support for the war effort. The denial of service and instability across multiple sectors highlights the vulnerabilities in Russia's digital infrastructure.
FROM THE MEDIA: A source within the Ukrainian special services reported that the HUR has been conducting a cyberattack on Russian digital infrastructure for three days. The operation has targeted major Russian banks, payment services, social networks, and communication platforms. Entities affected include Alfa Bank, Sberbank, VK, Discord, and the NSPK payment system. Financial institutions have experienced severe disruptions, impacting customers' ability to access accounts and perform transactions. Internet providers like Beeline and Rostelecom are also under attack, further complicating the situation. The attacks aim to weaken Russia's capacity to support its military activities against Ukraine.
READ THE STORY: Liga
Hackers Allegedly Leak CrowdStrike’s Threat Actor Database
Bottom Line Up Front (BLUF): A hacktivist group, USDoD, claims to have leaked CrowdStrike’s comprehensive threat actor database, including indicators of compromise (IOC) with over 250 million data points. CrowdStrike has responded, casting doubt on the severity and authenticity of the breach.
Analyst Comments: If the claims by USDoD are verified, this leak could significantly impact global cybersecurity operations, exposing ongoing investigations and aiding cybercriminals in evading detection. However, given USDoD's history of exaggeration and the inconsistencies in the leaked data, skepticism is warranted.
FROM THE MEDIA: On July 24, 2024, hacktivist group USDoD claimed on a cybercrime forum to have leaked CrowdStrike’s extensive threat actor database. This includes adversary aliases, status, last active dates, origin, and targeted industries and countries. The alleged leak could compromise cybersecurity measures, ongoing investigations, and tracking methods. CrowdStrike has acknowledged the data’s availability to numerous users and questioned the leak's authenticity due to USDoD's history of exaggerated claims. The breach follows CrowdStrike’s recent software update causing widespread Windows system crashes.
READ THE STORY: CSN
Telegram Exploit Enables Malware Distribution via Video Files
Bottom Line Up Front (BLUF): A zero-day flaw in Telegram's Android app, dubbed "EvilVideo," was exploited to distribute malicious APK files disguised as videos. This vulnerability allowed attackers to trick users into installing malware, leading to potential security risks.
Analyst Comments: The exploitation of Telegram's API to distribute malware highlights the increasing sophistication of threat actors in leveraging popular communication platforms for cyber attacks. Users should be cautious of unexpected media files and ensure their apps are updated regularly to mitigate such risks.
FROM THE MEDIA: A zero-day vulnerability in Telegram's Android app, known as "EvilVideo," was exploited to distribute malware hidden in video files. The flaw, which was put up for sale on an underground forum in June, allowed attackers to upload malicious APK files disguised as videos using Telegram's API. When users attempted to play the video, they were prompted to install the malicious APK. Telegram addressed the issue in version 10.14.5 on July 11. The exploit was primarily effective on the mobile app, with Telegram's web and Windows clients remaining unaffected. This incident coincides with other malware campaigns exploiting Telegram-based platforms to distribute harmful software, emphasizing the need for vigilant cybersecurity practices.
READ THE STORY: THN
Items of interest
Israel Accused of Influencing WhatsApp Case Against NSO Group
Bottom Line Up Front (BLUF): Leaked documents suggest the Israeli government attempted to influence a legal case between WhatsApp and the NSO Group by seizing sensitive documents and pushing for changes to court filings. This action aimed to protect NSO from accountability regarding its Pegasus spyware.
Analyst Comments: The involvement of the Israeli government in the NSO Group's legal battle with WhatsApp highlights the complex relationship between state interests and private cybersecurity firms. The Pegasus spyware, implicated in numerous human rights violations, has been a diplomatic tool for Israel, complicating efforts to regulate its use impartially. This interference raises concerns about the transparency and integrity of legal proceedings involving powerful state-backed technologies.
FROM THE MEDIA: An investigation by Forbidden Stories and Amnesty International reveals that the Israeli government intervened in the WhatsApp-NSO Group lawsuit by seizing sensitive documents and imposing a gag order to prevent press coverage. The NSO Group, maker of the Pegasus spyware, has been in a legal battle with WhatsApp since 2019 over the hacking of 1,400 users. The leaked documents, obtained from the Israeli Justice Ministry, suggest efforts to shield NSO from accountability. Amnesty International's Security Lab confirmed the documents' authenticity, raising questions about Israel's commitment to regulating NSO and providing justice to victims of Pegasus spyware.
READ THE STORY: The Record
Why Pegasus Spyware FAILED Israel During Hamas Attack (Video)
FROM THE MEDIA: On October 7th, 2023, Palestinian militant groups, led by Hamas, launched "Operation al-Aqsa Flood," a full-scale invasion of southern Israel from the Gaza Strip, marking the deadliest attack in Israeli history. The fact that such a massive assault, one reportedly up to two years in the making, happened in this way indicates nothing less than a catastrophic intelligence failure on the part of the Israelis, raising questions about the role of the Pegasus spyware.
How Israel tests weapons in Gaza, then sells them abroad (Video)
FROM THE MEDIA: In this episode of The Big Picture Podcast, we sit down with investigative journalist Antony Loewenstein to talk about how for decades, Israel used its occupation of Palestinians as a testing ground for new weaponry, which it then packages and sells to governments around the world. In fact, Loewenstein argues that since its inception, Israel built its economy around military and surveillance technology, exporting it to some of the world’s most repressive regimes including Myanmar, Pinochet’s Chile and apartheid South Africa.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.